For most covered entities, the Privacy Rule compliance
date is April 14, 2003; however, certain small health plans have
until April 14, 2004. The approved HIPAA privacy rule provides minimum
applicable standards in the area of protecting a patient's right
to privacy. More stringent state laws supercede this rule to ensure
the highest level of patient privacy possible in every instance.
This rule creates national standards to protect individual medical
records and other personal health information regardless of the
format (electronic, paper or verbal). Privacy rules impact how and
to whom data is disclosed, while the security rule impacts the physical
safety of that data. These rules work together and should be treated
as a unit during the implementation of any HIPAA compliance strategy.

This rule provides individuals with significant
control over their health information. As a result, patients can
request restrictions on the use and disclosure of their health information,
have the right to review and copy their medical records, and can
request that appropriate amendments or corrections be made to their
medical records.

Additionally, the rule balances public responsibility
with privacy protections by setting boundaries on medical record
use and release. Specifically, covered entities are allowed to transmit
PHI for the purposes of Treatment, Payment and Healthcare Operations
(TPO) without obtaining an individual's written consent; however,
the covered entity must obtain an authorization where indicated
as well as inform patients of their business practices (disclosures
and legal obligations in handling PHI), known as Notice of Privacy
Practices, concerning the use and/or disclosure of health information.
The rule further protects PHI by requiring covered entities to adopt
written privacy procedures, train their employees in these practices
and designate a privacy official.